Chapter IV Supplementary Provisions |
Article 30 | Articles 38 through 41 of the Regulations Governing the Establishment of Internal Control Systems by Public Companies shall apply mutatis mutandis to a service enterprise' supervision and management over its subsidiaries. Where a service enterprise's subsidiary is also a service enterprise as defined under Article 3 of these Regulations, its supervision and management over such subsidiary is exempted from the provision of the preceding paragraph. |
|
Article 31 | A service enterprise shall specify in its internal control system the penalties for violation of these Regulations or its internal control system rules by members of management and relevant personnel. A service enterprise shall from time to time check, with respect to its internal auditors, whether there is any violation of Article 12, paragraph 1 in relation to the "qualified" and "full-time" requirements or Article 17, paragraph 2, and upon discovery of any violation, shall adjust the position of the auditor within 1 month from the date of discovery, unless otherwise provided by law or regulation. When reporting basic information on internal auditors pursuant to Article 19, a service enterprise shall check whether or not the internal auditors have met the requirements under Article 18, paragraph 1. If any auditor has not, the auditor shall take corrective measures within 1 month; otherwise, the service enterprise shall promptly adjust the auditor's position, unless otherwise provided by law or regulation. |
|
Article 32 | If any of the following circumstances occurs to the internal chief auditor of a service enterprise, the competent authority may, depending on the severity of the circumstance, issue a reprimand, order it him or her to make corrections within a specified time limit, or order the service enterprise to dismiss the internal chief auditor from his or her position: 1. Has engaged in any improper transfer of funds with any customer, as proven by factual evidence. 2. Has abused authority of office, there is factual evidence showing that he or she has carried out improper activities, or he or she has committed an act in breach of official duties with intent to gain illegal benefit for him/herself or a third party, or intending to harm the any interest of the enterprise, causing damage to the enterprise or any third party. 3. Has disclosed, delivered, or made public the whole or any part of the content of the financial examination report to any person unrelated to the execution of duties without the approval of the competent authority. 4. Has failed to notify the competent authority of any significant malpractice that because of poor internal management has occurred in the enterprise. 5. Has failed to disclose in an internal audit report any significant deficiency identified in the finances or business of the enterprise. 6. Has issued a fraudulent internal audit report on internal audit findings. 7. Has failed to identify a serious deficiency in finances or business operations as a result of obviously insufficient staffing or staffing of obviously incompetent internal auditors in the enterprise. 8. Has failed to follow the instructions of the competent authority in conducting audit work or in providing relevant information. 9. Has otherwise committed any act that impairs the reputation or interests of the enterprise. |
|
Article 33 | Under any of the following circumstances, the competent authority may order a service enterprise to make improvements within a prescribed time limit, or where necessary, to engage a CPA to conduct a special audit of its internal control system and obtain an audit report and submit it to the competent authority for recordation: 1. Failure to document its internal control system. 2. Failure to appoint qualified personnel as full-time internal auditors or to appoint them in an appropriate number. 3. Failure to file a report within a prescribed time limit on, or fail to scrupulously execute, its annual audit plan. 4. Failure to file a report within a prescribed time limit on the actual execution of its annual audit plan. 5. Failure to file a report within the prescribed time limit on the correction of any deficiency or irregularity of the internal control system identified in an audit. 6. Failure to duly conduct self-assessment of its internal control system or to prepare a Statement on Internal Control. 7. Serious instance of failure to correct a deficiency of the internal control system pursuant to the internal control recommendations issued by a CPA. 8. Serious instance of false external financial reporting or violating a law, regulation, or bylaw. 9. Any material fraud or suspicion of fraud. 10. Other condition where the competent authority deems a special audit to be necessary. |
|
Article 34 | A service enterprise shall ensure the confidentiality of the financial examination report. Its responsible person or employees, except as provided by law or regulation or approved by the competent authority, may not read, nor may they disclose, deliver, or make public to any person unrelated to the execution of duties, the whole or any part of the content of the financial examination report. |
|
Article 35 | When a service enterprise makes any concealment of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system or legal compliance system, or the results of implementation of improvement of any deficiency specified by a competent authority in an examination opinion requiring review and follow-up, or the internal audit unit otherwise conceals any audit findings, and it results in material malpractice, the personnel involved shall be held responsible for negligence in their duties. A service enterprise shall reward an internal auditor who identifies any significant malpractice or negligence and thereby averts material loss to the enterprise. When a material deficiency or malpractice arises within the management or operational units of a service enterprise, the internal audit unit shall have the power to recommend penalties, and shall make a full disclosure in the internal audit report of the negligent personnel who shall be held responsible for the material deficiency. |
|
Article 36 | Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, the provisions of Article 5, paragraph 1, Article 7, paragraph 1, subparagraphs 1 and 5, Article 16, paragraphs 1 and 2, Article 17, paragraph 1, and Article 27, paragraph 2 of these Regulations in relation to supervisors shall apply mutatis mutandis to the audit committee. |
|
Article 36-1 | A service enterprise shall adopt appropriate risk management policies and procedures, and establish independent and effective risk management mechanisms, to assess and monitor the overall risk-bearing capacity, and the current status of risk already incurred, and to determine its compliance with the risk response strategies and risk management procedures. |
|
Article 36-2 | A service enterprise with specific requirements shall appoint a person at the level of deputy general manager (vice president) or higher or a person of equivalent position to concurrently serve as its chief information security officer, who shall be in charge of the overall promotion of information security policy and the allocation of related resources. Those requirements shall be prescribed by the competent authority. A service enterprise shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The competent authority may, after having considered the size, business nature, and organizational characteristics of the services enterprise, order service enterprises to establish a dedicated information security (i.e., cybersecurity) unit, chief officer, and other personnel. Each year, the service enterprise's chief information officer or highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue the Statement on Internal Control set out in Article 24, with content including the status of overall implementation of information security in the preceding fiscal year, and submit it to the board of directors for approval within 3 months after the end of the fiscal year. The service enterprise's information security officer and personnel shall attend at least 15 hours of information security professional courses or functional training every year. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year. The Securities Association, National Futures Association, and Securities Investment Trust and Consulting Association of the R.O.C. shall adopt and regularly review self-disciplinary regulations relating to information security. |
|
Article 36-3 | A service enterprise may have in place, according to its business conditions and management needs, qualified corporate governance personnel in an appropriate number and may appoint one chief corporate governance officer as the most senior executive for corporate governance affairs. However, the competent authority shall require a service enterprise to appoint a chief corporate governance officer if so required in consideration of its size or business nature or in any other necessary circumstances. The corporate governance affairs referred to in the preceding paragraph shall include, at a minimum, the following: 1. Handling of matters relating to board of directors meetings and shareholders meetings in compliance with law. 2. Preparation of minutes of board of directors meetings and shareholders meetings. 3. Assistance in onboarding and continuing education of the directors and supervisors. 4. Provision of information required for performance of duties by the directors and supervisors. 5. Assistance to the directors and supervisors in complying with laws and regulations. 6. Other matters specified by the articles of incorporation or by contract. The chief corporate governance officer described in paragraph 1 shall be a managerial officer of the company. The chief corporate governance officer shall be subject to the following requirements, unless otherwise provided by law or regulation: 1. A chief corporate governance officer shall be a qualified, practice-eligible lawyer or CPA or have served in a managerial position for at least 3 years in a securities, financial, or futures related institution or a public company in a unit handling legal affairs, legal compliance, internal auditing, financial affairs, stock affairs, or corporate governance affairs. 2. A chief corporate governance officer shall complete a minimum of 18 hours of continuing education courses within 1 year from the date of the person's appointment to that position, and a minimum of 12 hours of continuing education courses in each following year. The continuing education courses shall include, at a minimum, corporate governance related topics such as commerce, legal affairs, finance, accounting, corporate social responsibility, risk management, and internal control. The qualified continuing education institutions and the conduct of continuing education shall be subject mutatis mutandis to the provisions of the Directions for the Implementation of Continuing Education for Directors and Supervisors of TWSE Listed and TPEx Listed Companies, as jointly adopted by the Taiwan Stock Exchange and the Taipei Exchange, with respect to the continuing education system. Unless otherwise provided by law or regulation, a service enterprise may appoint a person holding another position in the company to concurrently serve as its chief corporate governance officer. Where the service enterprise appoints a person holding another position to concurrently serve as its chief corporate governance officer, it shall ensure that the functions and duties of both the principal position and the concurrent position of that person are discharged effectively, and there shall be no conflicts of interest or violations of the internal control system. In the event of resignation or dismissal of the chief corporate governance officer appointed under the proviso of paragraph 1, the service enterprise shall appoint another person to fill the vacancy within 1 month from the date of occurrence. |
|
Article 37 | The competent authority shall separately prescribe the formats described in these Regulations. |
|
Article 38 | In the case of a service enterprise being a foreign enterprise's branch unit within the territory of the Republic of China, the functions required by these Regulations to be performed by the board of directors or the supervisors may be performed by the responsible person of that branch unit within the territory of the Republic of China authorized by the board of directors of the foreign enterprise. |
|
Article 39 | These Regulations shall enter into force from the date of issuance. The 21 December 2011 amendments shall enter into force 3 months after the date of issuance, except Article 8, paragraph 1, subparagraph 14 and Article 14, paragraph 3, which shall enter into force from 30 December 2011. The provisions amended and issued on 22 September 2014 shall enter into force from 1 January 2015. Article 28-1 introduced in the 30 May 2018 amendments shall enter into force 6 months after the date of issuance. Article 8, paragraph 5 and Article 14, paragraph 6 amended on 22 April 2024 shall enter into force from 1 January 2025. |
|